An Analysis of Attacks on Blockchain Consensus (DRAFT)

BY KEYHUNTER 06.03.2025
An Analysis of Attacks on Blockchain Consensus (DRAFT)

We present and validate a novel mathematical model of the blockchain mining process and use it to conduct an economic evaluation of the double-spend attack, which is fundamental to all blockchain systems. Our analysis focuses on the value of transactions that can be secured under a conventional double-spend attack, both with and without a concurrent eclipse attack. We account for an attacker capable of increasing profits by targeting multiple merchants simultaneously. Our model quantifies the importance of several factors that determine the attack’s success, including confirmation depth, attacker mining power, and a confirmation deadline set by the merchant. In general, the security of a transaction against a double-spend attack increases roughly logarithmically with the depth of the block, made easier by the increasing potential profits, but more difficult by the increasing proof of work required. We find that a merchant requiring a single confirmation is protected against attackers that possess as much as 10% of the mining power, but only provided that the total value of goods at risk for double-spend is less than 100 BTC. A merchant that requires a much longer 55 confirmations (≈9 hours) will prevent an attacker from breaking even unless he possesses more than 35% of the current mining power, or the value of goods at risk exceeds 1M BTC.

1 Introduction

Despite the widespread adoption of blockchain-based digital currencies like Bitcoin [16], there exists little guidance on the actual value of goods or services that can be secured against double-spend attacks using blockchain transactions. The need for understanding the risk has always been of paramount importance to merchants; and the need is now shared by an increasing number of services that leverage blockchain transactions for settlement. For example, sidechains [4] and the Lightning Network [18] may be deployed shortly, and the security of each depends heavily on the underlying security of the Bitcoin transactions from which they are bootstrapped. Yet, all earlier studies of the economics of double-spend attacks fall short because of the simplicity of their model and resulting inability to capture the full complexity of the problem. In the present work, we derive a novel, continuous-time model for the double-spend attack, and use it to evaluate…

the economics of the conventional attack; we also use it to evaluate the attack in the presence of a concurrent eclipse attack \cite{one.prop/three.prop}, in which adversaries occlude a targeted peer’s view of the majority’s blockchain.

Double-spend attacks cannot be prevented in blockchain currencies because they are subject to the FLP impossibility result \cite{one.prop/zero.prop}, which says, informally, that consensus cannot be reached in distributed systems that do not set a deadline for when messages (i.e., new blocks) can be received. The primary mitigating defense against double-spends is for the merchant to wait for a transaction to receive ( z ) confirmations (i.e., ( z – 1 ) blocks are added after the block in which it originally appeared) before releasing goods to a customer. Nakamoto derived the probability of success for that defense, but the result is limited because it considers neither the cost of the attack, nor the revenue that the attacker stands to gain. Moreover, although it has been shown that the eclipse attack makes double-spending easier \cite{one.prop/three.prop}, no prior work has yet quantified the security of a merchant’s transactions in such a case where her view of the blockchain is obstructed.

Contributions. We contribute a novel economic evaluation of double-spend attacks in Bitcoin that could easily be extended to similar blockchain currencies such as Litecoin \cite{one.prop/four.prop} or Zerocash \cite{two.prop/two.prop}. We derive and validate equations for the value of transactions that can be secured against a double-spending adversary, who controls any portion of the mining power less than a majority. We also evaluate the double-spend attack when conducted contemporaneously with the eclipse attack.

Our results quantify Bitcoin’s security as a currency. We show that the correct attacker model considers not just the attacker’s mining power and transaction confirmation depth ( z ), but also the attacker’s potential reward, or goods at risk, which can be conservatively estimated by a merchant as the summed value of coin in the ( z ) confirmation blocks that is exchanged between individuals (turnover) \cite{one.prop/five.prop,one.prop/nine.prop}. We find that blockchain security against double-spend attacks increases roughly logarithmically with block depth, made easier by increasing goods at risk, but more difficult by the increasing proof of work required. Our model also quantifies the synergistic value of a concurrent eclipse attack.

For example, when the summed turnover for a transaction’s first confirmation block is as high as 100 BTC, we determine that a single confirmation is protected against attackers that can increase the current mining power by no more than 10%. Waiting for significantly more confirmations increases a transaction’s security considerably. With 55 confirmations and aggregate turnover of up to 1M BTC, a transaction can be protected from a double-spend attack as long as the attacker possesses less than 35% of the current mining power. We also demonstrate quantifiably that if merchants impose a conservative confirmation deadline, then a concurrent eclipse attack can only make double-spends more profitable if the attacker possesses less than 35% of the mining power or if the merchant requires fewer than 10 confirmations.

2 Background and Related Work

Using a blockchain as a method for distributed consensus was first proposed by Nakamoto as part of his or her development of the Bitcoin digital currency [16]. Blockchains allow for an open group of peers to reach consensus, while mitigating Sybil attacks [7] and the limitations imposed by the FLP impossibility result [10] through a mining process. We refer the uninitiated reader to Appendix A for a detailed overview of blockchain consensus and Bitcoin. Additionally, several articles are available that offer summaries of broader Bitcoin research issues [46, 25]. Below, we summarize two particularly relevant attacks, and then summarize why our contributions are distinct from related work.

2.1 Relevant Attacks

Double spending. A fundamental attack against Bitcoin is the double-spend attack [16], which works as follows. An attacker creates a transaction that moves funds to a merchant’s address. After the transaction appears in the newest block on the main branch, the attacker takes possession of the purchased goods. Using his mining power, the attacker then immediately releases two blocks, with a transaction in the first that moves the funds to a second attacker-owned address. Now the attacker has the goods and his coin back. To defend against the attack, a merchant can refuse to release goods to a Bitcoin-paying customer until ( z ) blocks have been added to the blockchain including the first block containing a transaction moving coin to the merchant’s address. Nakamoto calculated the probability of the attack succeeding assuming that the miner controlled a given fraction of the mining power [16]; for a given fraction, the probability of success decreases exponentially as ( z ) increases.

In general, a merchant may wait ( z ) blocks before releasing goods, which can thwart an attacker. But choosing the minimum value of ( z ) that secures a transaction is an unresolved issue. The core Bitcoin client shows that a transaction is unconfirmed until it is six blocks deep in the blockchain [3], and the advice from researchers to policymakers can be vague; e.g., “for very large transactions, coin owners might want to wait for a larger number of block confirmations” [5].

Eclipse attacks. Heilman et al. showed that Bitcoin’s p2p network peer discovery mechanism is vulnerable to eclipse attacks [13], which occlude a victim peer’s view of the blockchain. For example, if an adversary controls a botnet, he can fill a peer’s table of possible neighbors, resulting in a very high chance the victim will connect only to the attacker. Alternatively, the eclipse can involve controlling a victim’s local connection to the Internet.

Heilman et al. also showed that eclipse attacks can be used as a tool to increase the effectiveness of the double-spend attack on a merchant. First, the attacker eclipses the merchant’s view of the blockchain. Then, he sends the merchant a seemingly honest transaction ( H ), which contains the payment for a good. Third, the attacker sends to the miners a faulty transaction ( F ) that moves the funds elsewhere. Next, he creates and sends a series of ( z ) blocks to the victim merchant.

such that $H$ is part of the first block. Finally, he continues the eclipse until the real blockchain has progressed by at least $z + 1$ blocks. At that point, he has both the goods and the Bitcoin that the merchant intended to keep.

2.2 Related Work

Nakamoto derived the double-spend attack’s success probability in the original Bitcoin paper [1]. The main limitation of this approach is that it fails to include attack cost, which would place the severity of an attack in a real world context. Moreover, the model itself is also overly simplified in that it models the creation of an entire sequence of blocks as a single Poisson process. Accordingly, we cannot rely on the accuracy of the model for large numbers of consecutive blocks, which is necessary for determining the security of high-value transactions.

In their paper introducing the GHOST protocol [2], Sompolinsky et al. extended Nakamoto’s model by incorporating network delays and by allowing the expected block creation time to deviate from the 10-minute average used today. With this model, they showed that double-spend attacks become more effective as either the block size or block creation rate increase (when GHOST is not used). With a trivial change, our work could also vary the expected block creation time. A less trivial (but quite interesting) change would allow us to also model network delays.

Sapirshtein et al. [3] first observed that some double-spend attacks can be carried out essentially cost-free in the presence of a concurrent selfish mining [4] attack. More recent work extends the scope of double-spends that can benefit from selfish mining to cases where the attacker is capable of pre-mining blocks on a secret branch at little or no opportunity cost [5] and possibly also under a concurrent eclipse attack [6]. The papers identify the optimal mining strategy for an attacker and quantify the advantage that he can expect to have over the merchant in terms of pre-mined blocks. This analysis is complementary to ours; it is possible to relatively easily incorporate the pre-mining advantage into our model by simply changing the attacker’s block target from $z$ to $z – c$. We note that pre-mining in the context of the eclipse attack may not be feasible since an eclipse cannot generally be carried out for an indefinite period of time. Nevertheless, we intend to update both of our double-spend analyses to account for cost-free pre-mining in future work.

The objective of Rosenfeld [7] is most similar to ours and his analysis is a great improvement over the 6-block rule. However, his model cannot be applied to the concurrent eclipse attack scenario and he makes several simplifying assumptions that render the results for the conventional double-spend attack less accurate than ours, particularly as the number of required confirmations, $z$, grows (we compare quantitatively in Fig. [8]). Additionally, his approach — as well as all of those cited above — models only the order of block creation and not block mining time explicitly. As a result, it is difficult to extend his results to model cost in circumstances where the attacker is given a specific deadline (as we have done in our eclipse attack analysis) or where an attacker drops out because the honest miners have already won. We develop a richer, continuous-time model that explicitly accounts for attacker cost as a function of mining duration.

Heilman et al. offered a detailed analysis of the mechanics of an eclipse attack, as well as several protocol-level defenses to the attack. But they attempted no analysis of an attacker’s economic incentives. As a result, it remains unclear what minimum number of confirmations, ( z ), are sufficient to secure a given value of purchased goods. In this paper, we derive a model for the profit received by an adversary who launches an eclipse attack, and use it to determine the attacker’s break-even point for various values of ( z ).

3 Analysis of Double-spend and Eclipse Attacks

In this section, we compute the security of a transaction against a double-spend attack, both with and without a concurrent eclipse attack, in cases where the transacted coin is used as payment for goods or services, which we call goods at risk. Specifically, we are able to determine the fraction of mining power ( q ) required by an attacker to profitably double-spend a transaction given the value of goods at risk ( v ) and transaction confirmation blocks ( z ) required by the target (merchant, service, etc.). As we explain below, ( v ) is conservatively estimated as not just the Bitcoin value of goods sold by a single merchant, but as the sum amount of coins transferred between entities (turnover) by all transactions in the ( z ) confirmation blocks. Our guiding principle is that a resource is secure from an attack only if it is worth less than the attack’s cost. We find that because of the well-behaved statistical properties of mining times and transparency of transaction values, Bitcoin is particularly amenable to such an analysis.

Attack cases. In this section, we analyze two double-spend attack strategies. Case 1 assumes that the attacker is capable of eclipsing the merchant while conducting a double-spend attack. Case 2 assumes that the attacker elects not to employ an eclipse attack (or equivalently, fails in an attempt to do so). Assuming that the merchant follows our mitigation guidelines, we provide bounds on the expected break-even point for the attacker in both cases. We find that there are two distinct attack regimes where one case dominates the other based on the attacker’s share of the mining power ( q ). When ( q \leq 0.35 ) and ( z ) remains relatively low, Case 1 affords the attacker a lower break-even point. The opposite is true for ( q \geq 0.35 ) and large ( z ), where Case 2 dominates.

Attack target. Throughout most of this section we proceed under the assumption that the attacker targets a single merchant, which is not strictly true. First, the target need not be an individual at all; the attacker could instead target blockchain-based services. Second, he could exploit multiple targets simultaneously. We discuss the ramifications of the former in Section 4 and the latter presently. Simultaneous attacks increase the attacker’s potential profit by allowing for multiple double-spends to be placed in a single block. Moreover, even if a merchant requires ( z ) confirmations, the attacker might be lucky to find other merchants requiring only one, which means that the attacker could potentially profit from all ( z ) blocks. The potential profit in a block can be bounded by the sum of all Bitcoin transferred, or \textit{turned over}, between distinct entities. We call the aggregate turnover value for ( z ) blocks the \textit{( z )-maximal goods} because it represents the maximum Bitcoin value of goods that could be exploited by the attacker in the ( z ) confirmation blocks. Several past works have evaluated metrics for estimating that value \cite{one.prop,five.prop,one.prop/nine.prop}. Thus, we can model the simultaneous attack scenario by letting the goods at risk, ( v ), be equal to the ( z )-maximal goods.

Mitigation measures. We assume that the merchant will take certain precautions. First, because the attacker is capable of profiting from the ( z )-maximal goods, the merchant will set ( z ) adaptively based on the turnover of each block as it is added to the blockchain. Specifically, she will only release goods after ( z ) confirmations if the expected cost to an attacker exceeds the ( z )-maximal goods. Second, when the merchant is concerned about a simultaneous eclipse attack, she will impose a deadline ( d ) for the receipt of all ( z ) confirmations. It is always possible to double-spend against an eclipsed merchant — only the attack duration varies based on the attacker’s fraction of mining power ( q ) — thus ( d ) serves to increase the attacker’s cost by increasing his loss rate. Because ( z ) is set dynamically, ( d ) would most naturally be defined as a linear function of ( z ).

3.1 Attacker model

We make the following simplifying assumptions about the attack environment as well as the attacker’s capabilities and behaviors.

  • The attacker’s mining power constitutes a fraction ( 0 < q < 0.5 ) of the total mining power. When ( q \geq 0.5 ), the attacker holds a majority of the mining power, in which case Bitcoin cannot secure any transaction.
  • The network is correctly calibrated so that a block is produced roughly once every ( 10 ) minutes given the current mining power, which is generally true in the real system. Bitcoin adjusts its difficulty once every ( 2,016 ) blocks (about every two weeks), and we assume these attacks have no affect on the difficulty while they are run.
  • The eclipse attack succeeds without fail. An eclipse attack is likely to incur some cost, but we do not include it because that cost is hard to estimate. For example, in the most general scenario, a botnet might be required \cite{one.prop/three.prop}. On the other hand, if a merchant is physically accessible and has only a single, unsecured wireless link to the Internet, eclipse attacks are much simpler and much less costly. We also assume the attacker does not launch a denial-of-service attack on honest miners.

Attacker strategy Case 1: The attacker launches an eclipse attack against one or more merchants. He diverts his mining power, ( q ), from the main branch to mining an alternate \textit{fraudulent branch} that contains in the earliest block a transaction that moves coins to the merchant; the blocks are sent to the merchant as they are mined. Once the attacker reaches ( z ) blocks on the fraudulent branch, the merchant releases the goods to the attacker. The attacker ceases to mine on the fraudulent branch, and waits until the main branch grows longer than the fraudulent branch. He then ceases to eclipse the merchant, allowing her to realize that the actual longest branch does not contain the transaction that transferred coin to her.

In principle, the attacker has an unlimited amount of time to produce the ( z ) blocks he uses to unlock the goods from the merchant. He is limited only by the amount of time he is able to eclipse the merchant and the time his is willing to divert his mining power away from the main branch. However, the merchant will likely suspect that she is being eclipsed if the actual time it takes for her to receive ( z ) blocks is drastically different than the expected time (roughly 10 minutes per block). Therefore, we propose that the merchant refuse to hand over the goods if the ( z ) blocks are not received by her deadline ( d ), a parameter that we described in our discussion of mitigation measures. Given this change in policy, the attacker will naturally adjust to cease mining on the fraudulent branch once he either mines ( z ) blocks or the deadline has passed. For this case, we do not consider the possibility that the attacker attempts to replace the main branch with his false branch, thus we assume that the coinbase rewards earned on the fraudulent branch are useless.

Attacker strategy Case 2: No eclipse attack is leveraged, but the attacker again possesses fraction ( q ) of the total mining power. This time, after releasing the transaction that pays coin to the merchant, he races to mine ( z + 1 ) blocks on a secret fraudulent branch that does not contain the transaction in any of its blocks. Meanwhile, the rest of the miners have picked up the payment transaction and added it to the main branch on which they mine. The merchant will release the goods once the main branch reaches length ( z ). The attacker does not release any of his blocks until the fraudulent branch has reached length ( z + 1 ), at which point he releases all block simultaneously. If the fraudulent branch is longer than the main branch, then the attacker will have successfully double-spent the coins that he originally transferred to the merchant.

A persistent attacker could conceivably continue to mine indefinitely, even after the main branch far surpasses the fraudulent branch. There will remain, in any case, a non-zero probability of success. However, one of Nakamoto’s fundamental results is that there will be an exponentially diminishing probability of success with every block that the attacker falls behind ([6]). Moreover, the cumulative cost will eventually become prohibitive to any rational attacker. Therefore, we assume the attacker will eventually quit if he remains behind for a sufficiently long period of time. Determining the optimal drop out point is left for future work; here we arbitrarily assume that the attacker will drop out if the main branch mines ( z + 1 ) blocks before he can. This choice has the desirable property (for the attacker) that the expected cost for any outcome will not exceed the cost he was willing to incur for a successful attempt.

3.2 Case 1 Analysis: Eclipse-Based Double-Spend

We determine Bitcoin’s security with respect to an eclipse-based double-spend attack by quantifying a potential attacker’s economic break-even point. Breakeven occurs when revenue ( R ) less cost ( C ) is zero:

[ R – C = 0. ]

(1)

We assume an attacker has fraction ( q ) of total mining power, and the merchant will not release goods until a paying transaction is ( z )-blocks deep in the main chain. If the ( z )th block has not been announced by ( d ) minutes, the sale is nullified.

Let ( X^q_i ) be a random variable representing the time it takes for the attacker to mine the ( i )th block using mining power ( q ), and let

[ X = \sum_{i=1}^{z} X^q_i. ]

(2)

Here, ( X ) represents the time it takes the attacker to reach ( z ) blocks using mining power ( q ). Define ( C(x; d, q) ) to be the cost of an attack with duration ( x ) minutes and deadline ( d ) that uses mining power ( q ). To calculate cost, we assume that the miner will stop mining once he mines the ( z ) blocks, but will continue to mine until the deadline if he is unsuccessful. Cost can be measured in terms of the opportunity cost for diverting the mining power from performing honest mining, that is, the attacker could have earned the block reward of ( B ) from the main branch. Blocks are mined, we expect, every 10 minutes. Therefore

[ C(x; d, q) = \begin{cases} qB \frac{10}{10}, & x \leq d \ qDB \frac{10}{10}, & x > d . \end{cases} ]

(3)

Mining is an example of a Poisson process because, under constant mining power, blocks are mined continuously and independently at a constant average rate. Therefore ( X^q_i \sim \text{exponential}(\beta) ) with ( \beta = 10/q ). It is well known that the exponential distribution is a special case of the gamma distribution with shape parameter ( \alpha = 1 ). Furthermore, the sum of ( z ) gamma distributions with shape ( \alpha = 1 ) and the same rate ( \beta ) is again gamma with rate ( \beta ) and shape ( z ). Thus ( X \sim \text{gamma}(z, 10/q) ). Let ( g(x; \alpha, \beta) ) be the density function for the distribution ( \text{gamma}(\alpha, \beta) ), and let ( G(x; \alpha, \beta) ) be the CDF. It follows that

[ E[C(X; d, q)] = \int_0^\infty C(x; d, q)g(x; z, \beta)dx ]

[ = \int_0^\infty C(x; d, q) \frac{1}{\beta^z(z-1)!} x^{z-1} e^{-x/\beta} dx ]

[ = qB \frac{10}{10} \left[ \int_0^d \frac{1}{\beta^z(z-1)!} x^{z-1} e^{-x/\beta} dx + d(1 – G(d; z, \beta)) \right] ]

[ = qB \frac{10}{10} \left[ \beta z \int_0^d \frac{1}{\beta^{z+1}z!} x^z e^{-x/\beta} dx + d(1 – G(d; z, \beta)) \right] ]

[ = qB \frac{10}{10} \left[ \frac{10z}{q} G\left(d; z + 1, \frac{10}{q}\right) + d(1 – G\left(d; z, \frac{10}{q}\right)) \right] ]

[ = \frac{qdB}{10} + zBG\left(d; z+1, \frac{10}{q}\right) – \frac{qdB}{10} G\left(d; z, \frac{10}{q}\right). ]

(4)

Consider now the attacker’s revenue $R(x; d)$. If he succeeds in the attack, then he will earn revenue $v$ and will earn nothing otherwise. Formally,

$$R(x; d) = \begin{cases} v, & x < d \ 0, & x \geq d \end{cases}.$$

(5)

The probability of his success is

$$P(X \leq d) = G(d; z, 10/q).$$

(6)

Hence the expected revenue is given by

$$E[R(X; d)] = vG(d; z, 10/q).$$

(7)

Using the fact that expected break-even occurs when $E[R(X; d)] – E[C(X; d, q)] = 0$ we have our result for Case 1:

$$v = \frac{E[R(X; d)]}{G(d; z, 10/q)} = \frac{E[C(X; d, q)]}{G(d; z, 10/q)} = \frac{qdB/10 + zBG\left(d; z+1, \frac{10}{q}\right)}{G(d; z, 10/q)} – \frac{qdB/10}{G(d; z, 10/q)}.$$

(8)

3.3 Case 2 Analysis: Double-Spend Without The Eclipse Attack

In this case, we assume that an eclipse attack is not employed by the attacker. By comparing results to Case 1, we can determine which is the more effective attacker strategy. Recall that the attacker builds a fraudulent branch holding the double-spend transaction, and honest miners build the main branch holding the payment transaction. The attack succeeds if the fraudulent branch becomes the main branch. No deadline is enforced by the merchant. She does, however, enforce an embargo on goods until the payment transaction is $z$-blocks deep.

Let $Y^q_i$ be a random variable denoting the time it takes the attacker to mine the $i$th block if he controls fraction $q$ of the total mining power. Similarly, define $M^q_i$ to be the time it takes the honest miners to mine block $i$ given that they control fraction $1 – q$ of the mining power. Finally, define

$$Y = \sum_{i=1}^{z+1} Y^q_i,$$

(9)

and

$$M = \sum_{i=1}^{z+1} M^q_i$$

(10)

to be the time it takes for the attacker and other miners, respectively, to mine $z + 1$ blocks. For the attack to be a success, it must be the case that $Y < M$. We assume that the attacker will stop mining when he reaches $z + 1$ blocks on the fraudulent branch or when the honest miners reach ( z + 1 ) blocks on the main branch, whichever happens first.

Analogously to Section 3.2, we define ( C(y, m; q) ) as the cost to the attacker when he possesses mining power ( q ) and the attacker and honest miners each mine for ( y ) and ( m ) minutes respectively:

[ C(y, m; q) = \begin{cases} qB/m, & y \leq m \ qB/m, & y > m \end{cases} ]

(11)

Just like ( X ) in Section 3.2, both ( Y ) and ( M ) have gamma distributions, this time with rate parameters ( \beta_Y = 10/q ) and ( \beta_M = 10/(1 – q) ), respectively. Specifically, ( Y \sim \text{gamma}(z + 1, \beta_Y) ) and ( M \sim \text{gamma}(z + 1, \beta_M) ). Define ( g(x; \alpha, \beta) ) and ( G(x; \alpha, \beta) ) as in Section 3.2. It follows that

[ E[C(Y, M; q)] = \int_0^\infty \int_0^\infty C(y, m; q) \ g(m; z+1, \beta_M)g(y; z+1, \beta_Y) \ dy \ dm \ = \int_0^\infty g(m; z+1, \beta_M) \left( \int_0^m yg(y; z+1, \beta_Y) \ dy \right) \ dm \ \quad + \ \frac{qB}{10} \left( \int_0^\infty mg(m; z+1, \beta_M) \int_m^\infty g(y; z+1, \beta_Y) \ dy \ dm \right) \ = \frac{qB}{10} \left( \int_0^\infty g(m; z+1, \beta_M) \int_0^m \beta_Y g(y; z+2, \beta_Y) \ dy \ dm \right) \ \quad + \ \beta_M \int_0^\infty g(m; z+1, \beta_M) \left( 1 – G(m; z+1, \beta_Y) \right) \ dm \right) \ = B(z + 1) \left( \int_0^\infty g(m; z, 10/(1 – q))G(m; z + 2, 10/q) \ dm + \ \frac{q}{1-q} \int_0^\infty g(m; z + 1, 10/(1- q)) \left( 1 – G(m; z + 1, 10/q) \right) \ dm \right). ]

To determine the attacker’s expected break-even point, we must also calculate his expected revenue.

Useful information for enthusiasts:

Contact me via Telegram: @ExploitDarlenePRO